Uploaded image for project: 'jBPM'
  1. jBPM
  2. JBPM-5020

When Keycloak authentication is enabled it should be applied not only to Workbench UI but also for REST API

XMLWordPrintable

    • NEW
    • NEW

      I have enabled Keycloak authentication for kie-wb.war. Now I have all users managed by Keycloak auth server and I can log in to Workbench (http://localhost:8080/kie-wb/) through Keycloak login form. It should be also possible to use a Keycloak managed user's credentials for REST API (and other web resources that require BASIC auth method).

      Currently the BASIC auth method for /rest/* is implemented by mapping the BasicAuthSecurityFilter to it. BasicAuthSecurityFilter reads credentials from Authorization header and uses them to log in to Errai's AuthenticationService that uses container's security domain defined for the web app. For example in kie-wb EAP6 distribution, the domain is referenced from jboss-web.xml and is named "other", which is the default security domain and reads users and groups from property file. Therefore, it is still possible to access /rest/* while Keycloak is enabled but only at the cost of managing users at two different places.

      To sum it up: when Keycloak is used to manage Workbench UI users, those users should also have access to /rest/*. Please provide configuration steps needed to make this possible.

              romartin@redhat.com Roger Martinez
              jlocker Jiří Locker (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: